如何通过Docker Engine API创建一个具有网络管理员权限的服务。

huangapple go评论66阅读模式
英文:

How to create a service that has network admin privileges through the Docker Engine API

问题

I am building a chaos engineering tool for Docker Swarms. I am wanting to use iproute2 so I can inject packet delays into the docker swarm. To do this I need to create a swarm service that has network admin privileges through the Docker Engine API (v1.43).

我正在构建一个用于 Docker Swarms 的混沌工程工具。我希望使用 iproute2,以便我可以向 Docker Swarm 注入数据包延迟。为了实现这一目标,我需要通过 Docker Engine API(v1.43)创建一个具有网络管理员权限的 Swarm 服务。

I can see that I can create a container with network admin privileges with CapAdd in HostConfig using the NET_ADMIN option (https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerCreate). However in the Docker Engine API documentation for creating a service (https://docs.docker.com/engine/api/v1.43/#tag/Service/operation/ServiceCreate) in ContainerSpec there is also CapabilityAdd but there are only 4 options which are "CAP_NET_RAW", "CAP_SYS_ADMIN", "CAP_SYS_CHROOT", "CAP_SYSLOG". There is no NET_ADMIN option. Does anyone have any solutions to this or any workarounds I could use so that I can create a service with NET_ADMIN privileges?

我可以看到,我可以使用 HostConfig 中的 CapAdd 选项和 NET_ADMIN 选项创建具有网络管理员权限的容器(https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerCreate)。然而,在创建服务的 Docker Engine API 文档中(https://docs.docker.com/engine/api/v1.43/#tag/Service/operation/ServiceCreate),在 ContainerSpec 中也有 CapabilityAdd 选项,但只有 4 个选项,它们是 "CAP_NET_RAW"、"CAP_SYS_ADMIN"、"CAP_SYS_CHROOT"、"CAP_SYSLOG"。没有 NET_ADMIN 选项。是否有人有解决方案或我可以使用的任何变通方法,以便我可以创建具有 NET_ADMIN 权限的服务?

英文:

I am building a chaos engineering tool for Docker Swarms. I am wanting to use iproute2 so I can inject packet delays into the docker swarm. To do this I need to create a swarm service that has network admin privileges' through the Docker Engine API (v1.43).

I can see that I can create a container with network admin privileges with CapAdd in HostConfig using the NET_ADMIN option (<https://docs.docker.com/engine/api/v1.43/#tag/Container/operation/ContainerCreate>). However in the Docker Engine API documentation for creating a service (<https://docs.docker.com/engine/api/v1.43/#tag/Service/operation/ServiceCreate>) in ContainerSpec there is also CapabilityAdd but there are only 4 options which are "CAP_NET_RAW", "CAP_SYS_ADMIN", "CAP_SYS_CHROOT", "CAP_SYSLOG". There is no NET_ADMIN option. Does anyone have any solutions to this or any workarounds I could use so that I can create a service with NET_ADMIN privileges?

答案1

得分: 1

我最终找到了解决方案并解决了自己的问题。如果其他人有类似的问题,我已经解释了我的解决方案。在Docker Engine API文档中没有显示,但要使服务 NET_ADMIN,只需使用:

"CapabilityAdd" : [
"CAP_NET_ADMIN"
]

我认为可以使用Linux功能文档中列出的任何功能(https://man7.org/linux/man-pages/man7/capabilities.7.html)。如果像我一样想要从容器内部干扰docker swarm网络,您应该将网络模式设置为"host",这样您可以与主机上运行的所有网络进行交互。您可以按照下面所示进行操作。

"Networks": [
{
"Target": "host"
}
]

英文:

I eventually reached a solution and solved my own problem. In case anyone else has a similar issue, I have explained my solution. It is not shown in the Docker Engine API documentation but to make the service NET_ADMIN, simply use:

&quot;CapabilityAdd&quot; : [
                        &quot;CAP_NET_ADMIN&quot;
                    ]

I believe any of the capabilities listed here in the Linux capabilities documentation can be used (https://man7.org/linux/man-pages/man7/capabilities.7.html). Also if like me you are wanting to interfere with a docker swarm network from inside a container, you should set the network mode to "host", so that you can interact with all the networks running on the host. You can do this as shown below.

    &quot;Networks&quot;: [
        {
            &quot;Target&quot;: &quot;host&quot;
        }
    ]

huangapple
  • 本文由 发表于 2023年6月29日 20:16:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/76580967.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定